malware analysis 
for the enterprise 
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yesterday: "impenetrable defense" 
today: tourist attraction 
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obligatory narcissism 

• worked in IT security for > 10 years 

• employed with the BT ethical hacking team 

• contribute to various malware research 
groups & internet security communities 

• PoC for the 585 defcon group 



compliance != security 




we're not getting better at securing 
systems 








we are becoming adept at evading 
the average security auditor. 




"has data loss jumped the shark?" 




Despite the statements in the prior slide, 
we are seeing a decrease in data loss incidents 



owned != dataloss 




Websense states in their 2009 Ql "State 




of the Internet" report : 







671% growth in malicious web sites in the 





77% of these were legitimate sites that had 
Deen compromised. 





what does that mean? 



attackers may not be 
interested in your data 



at all. 



the intended victim may 
not even be your 
customer. 




they may be looking to 



use your brand image. 
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industry: 

let's use signatures! 




ma I ware: 



i can has packing, 
crypto, and some 
polymorphism? 




arms race ++ 




protection fail. 



heuristics won't save you 
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they can be useful and effective 



they miss thing 




especially if multiple stages are involved 
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some ways malware defeats AV 
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encrypt the code with strong ciphers and 
randomized keys 



alter the codebase in an automated fashion 
(polymorphism) 



pack the executable 






the state of anti-malware is abysmal 



reactive technology is, by definition, 
not going to be securing proactively. 
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• examples of suckage: 

• different signatures for the same 
malware. 

• vendors can't even agree on a name! 





alerts 



constantly! 




think about that for a minute 



at least AV is catching stuff, 
that's good, right? 



the host was probably compromised 
before AV caught whatever it alerted on. 




that's because malware does not infect a 
host using a single stage process. 



w malware works 
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- ; ■ image taken from the FireEye Research Blog: 
http://^lpg;fireeye.com/research/2009/04/botnetweb.html 



it's a business, not a kiddie 



payroll 



support models 




distribution channels 




strategic partnerships 
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ownloads 




droppers & rootkits, o 





stage one: drive-by download 







stage two: load more malware 



stage three: profit! 
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pfft. only mom & pop sites are 



being used for 




, right? 




Windows 7 



looking I oi footer op^nmi system b 
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Download iTun£ 



iTunes 
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um. wow. that sucks 



yes. yes it does 





still think you're safe because IDS, AV, or 
even a QSA says so? 







that's OK, so did these 





Heartland 

PAYMENT SYSTEMS 



The Highest Standards | Th« Most Trusted Transactions 



current (2009) US population 
records lost by these companies 
percentage of population "owned" 




307 million 
264 million 

-86 % 



more lessons from heartland 



• malcode authors are invested in 
long term solutions 

• malware is increasingly targeted 



scary example time 





URLZone 



My balance is fine! 



Monkif/DIKhora 




Nothing here but us JPEGs 



where does malware 
analysis fit in? 
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virus protection is familiar to us 




as a result, we treat infection casually 



a virus alert is a security incident 





does your incident response policy 
address virus alerts? 





malware is bad 



analyzing it is necessary 






how do we do that? 

- static analysis 

— run-time analysis 






km. 



what is a sandnet? 





a test environment using 





multiple hosts 







isolated from the production 
network 




used to analyze malicious 



software 








what are the options? 



online labs 



virtual machines 



bare meta 




online labs 





roll your own 





more comprehensive 



potentially less problematic 




• more expensive 




harder 
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vm, or bare metal? 



vm is cheaper & more efficient 





bare metal may be more accurate 





jumping the sharK! 






(demo of sharK 3.1) 



how many hosts? 

M 
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At least 2 probably 

— Victim 

— Services / Monitoring 




> VBoxManage list vms 

"linux" {ad59fl94-585e-49c5- 
"winxp_sp3_01" {7a554f4e-6ae 




a54c-5e92322bll88} 
-42fl-a3c5-488d43fl61ff} 





network configuration 





haven't found a "good" solution for that yet 





(IPS on outbound traffic?) 



use the internal network feature 





> VBoxManage showvminfo winxp_sp3_01 



Name: 
Guest OS: 
UUID: 
Memory size: 
VRAM size: 



NIC 1: 






winxp_sp3_01 
Windows XP 
7a554f4e-6aea-42fl-a3c5-488d43fl61ff 




512MB 
12MB 



Number of CPUs: 1 



MAC: 080027D32767, 

Attachment: Internal Network 'intnet' 





dhcp - because dynamic 




> VBoxM 



Mana 



age dhcpsc 



--netname intnet 



--ip 192.168.3.1 



--netmask 255.255.25 



I 1 



owerip 192. 168.3. 1( 



--upperip 192.168.3. 




monitoring traffic 





sr. 
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let the VM do the work for you 




> VBoxManage modifyvm linux -nictracel 
on -nictracefilel "C:\Users\Test\linux.pcap" 




dns - all your zones 





configured to be SOA for 
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returns the IP of the monitoring 
host for all resource requests 



Remember the MX 



db.wildcard 



$TTL 



IN 



604800 
SOA 



localhost 



cache ttl 



IN 
IN 
IN 



root .localhost . ( 
2010012201 
604800 
86400 
2419200 

604800) ; negative 



NS 

MX 10 




localhost. 



192.168.3.101 
192.168.3.101 



mod_forensic is your friend 



configuration is easy: 




ForensicLog /var/log/apache2/forensic_log 



# Enable and reload: 

# a2enmod log_forensic 

# apache2ctl reload 





fun with netcat 






sy to 



t up: 



# netcat -nvlp 8080 -o tcp_8080.txt 




< 00000000 

< 00000010 

< 00000020 

< 00000030 

< 00000040 

< 00000050 

< 00000060 

< 00000070 

< 00000080 

< 00000090 

< 000000a0 

< 000000b0 

< 000000C0 

< 000000d0 

< 000000e0 

< 000000f0 

< 00000100 

< 00000110 

< 00000120 



47 45 
41 63 
66 2c 
61 70 
69 6d 
6c 69 
77 61 
0a 41 
3a 20 
45 6e 

64 65 

65 6e 
20 28 
49 45 
4e 54 
73 74 
31 3a 
6f 6e 
0d 0a 



54 20 
63 65 
20 69 
2c 20 
61 67 
63 61 
76 65 
63 63 

65 6e 
63 6f 

66 6c 
74 3a 
63 6f 
20 36 
20 35 
3a 20 
38 30 
3a 20 



2f 20 48 
70 74 3a 
6d 61 67 
69 6d 61 
65 2f 70 
74 69 6f 
2d 66 6c 
65 70 74 
2d 75 73 
64 69 6e 
61 74 65 
20 4d 6f 
6d 70 61 
2e 30 3b 
2e 31 3b 
31 39 32 
38 30 0d 
4b 65 65 



54 


54 


20 


69 


65 


2f 


67 


65 


6a 


70 


6e 


2f 


61 


73 




2d 4c 61 
0d 0a 41 
67 3a 20 
0d 0a 55 
7a 69 6c 
74 69 62 
20 57 69 
20 53 56 
2e 31 36 
0a 43 6f 
70 2d 41 



2f 31 
61 67 
2d 78 
6a 70 
67 2c 
2d 73 
2c 20 
6e 67 
63 63 
67 7a 
73 65 
6c 61 
6c 65 
6e 64 
31 29 
38 2e 
6e 6e 
6c 69 



2e 31 0d 
65 2f 67 
62 69 74 
65 67 2c 
20 61 70 

68 6f 63 
2a 2f 2a 

75 61 67 
65 70 74 

69 70 2c 
72 2d 41 
2f 34 2e 
3b 20 4d 
6f 77 73 
0d 0a 48 
33 2e 31 
65 63 74 

76 65 0d 



0a # GET / HTTP/1.1.. 

69 # Accept: image/gi 
6d # f y image/x-xbitm 
20 # ap, image/jpeg, 

70 # image/pjpeg, app 
6b # lication/x-shock 
0d # wave-flash, */*. 
65 # .Accept-Language 
2d # : en-us . . Accept - 
20 # Encoding: gzip, 
67 # deflate. .User -Ag 
30 # ent: Mozilla/4.0 
53 # (compatible; MS 
20 # IE 6.0; Windows 
6f # NT 5.1; SV1). .Ho 
30 # st: 192.168.3.10 
69 # 1:8080. .Connecti 
0a # on: Keep-Alive.. 

# .. 
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javascript de-obfuscation 



SpiderMonkey rules 



biggest issue is no 'document' object 



Didier Stevens' port is even better 

— adds features specific to malware 
analysis 

— including document.write() 





online resources 

Anubis: 



Virus Total 



CERT. at Do-lt-Yourself Kit 



if you want to contact me for 

some crazy reason, here's how you can: 




G 



https://twitter.com/rossja 



algorythm@gmail.com 





e en 






